Forgot your password?
typodupeerror
Firefox Privacy Security Your Rights Online

76% of Web Users Affected By Browser History Stealing 130

Posted by CmdrTaco
from the seems-like-it-should-be-more dept.
An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."
This discussion has been archived. No new comments can be posted.

76% of Web Users Affected By Browser History Stealing

Comments Filter:
  • You shouldn't have been browsing the internet. But I am curious... how is this information used maliciously, excluding advertising?
    • Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.

    • They give your PC a cookie and then they can see by your history how old you are, your favorite porn sites, if you're gay, etc.

      Then they sell that info to advertisers and their ilk.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        No need for cookies, you just use javascript and CSS.

        I actually implemented a history sniffer for an online advertising company a few years ago; we were using it as an additional selling point for potential advertisers, as in "We can tell you what percentage of your visitors have visited your rivals' landing pages".

        Worth remembering you can only test against a list of exact urls that you're interested in, you can't just go browsing through a visitor's history. In other words, if I wanted to know how many pa

        • by wjousts (1529427)

          No need for cookies, you just use javascript and CSS.

          No need for JavaScript either. You can do it with CSS alone.

    • by Pojut (1027544)

      how is this information used maliciously, excluding advertising?

      Many people consider advertising to be a malicious use.

      Personally, I don't mind my information being used for advertising. Living in 2010, it's an unavoidable fact of life that we are going to encounter advertising everywhere. I would much rather it be for products and services that I actually have an interest in rather than stuff I don't care about.

    • by Nadaka (224565) on Wednesday May 19, 2010 @11:19AM (#32265562)

      People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.

      • I use a different set of passwords depending on importance. I treat my online "social website" identities like public information, don't put what I wouldn't want found up. If more people simply did that, it'd be a lot easier.
      • It only detected 2 out of 20+ sites I visited since last clearing out my cache (slight porn guilt makes me do it every so often) both of which have passwords I use only for those sites. I don't really care if someone gets my slashdot account details or twitter details. It's certainly not the end of the world.
    • by TheMeuge (645043)

      I am not a programmer... but it seems absolutely amazing to me that since this vulnerability has become known (10 years?) nothing has been done to address it. The only two ways to avoid having your history accessed this way, is either to prevent your browser from marking sites as "visited" altogether, or to regularly delete your browsing history.

      How is it that Firefox, an open-source browser, still hasn't had this issue fixed in all these years?..

      • Re: (Score:3, Insightful)

        by GungaDan (195739)

        Doesn't unchecking the "keep my history" button under "privacy" take care of this?

      • Re: (Score:3, Informative)

        by TheCycoONE (913189)

        http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx [msdn.com] is an article on the subject.

        Essentially the vulnerability is a feature of the spec. Even without JavaScript or cookies, the CSS specification allows a web developer to specify that a particular icon/cursor/background-image should be shown for visited links. The exposure is that the client only downloads resources when they are needed to preserve bandwidth, and the server knows what has been requested from it, so I could put in t [google.com]

        • But browsers could be made to download just :visited images, as a security-related exception to the "download as needed" policy. This shouldn't affect performance at all, since sites that actually do this for "legitimate" reasons should be vanishingly rare.
          • > browsers could be made to download just :visited images

            Wouldn't that just alter the attack? In the end they will just make it infer the 'visited' state from other things that are much harder to block. (Eg: change the link to bold if visited - now it's bounding box is slightly larger, which you can detect in javascript and use to report back if the user visited the site). I think the protection has to be positioned further back in the chain: a visited style will only be rendered if the user visited

        • by psbrogna (611644) on Wednesday May 19, 2010 @12:33PM (#32266566)
          I don't think you're correct in your list of options for protecting against the vulnerability. As a general principal, client side code from an untrusted source (ie. the web) should only have access to client side content which originated from the same source. In the case we're talking about, the content has been modified by the client based on private client state (ie. visited links), at this stage, the content should no longer be accessible to the code. If the rendering pipeline were more compartmentalized (ie. think XSLT translation steps), then code in one department wouldn't have access to content that has been modified based on private client state.

          In this manner, the client environment could modify the content at will (ie. changing style for links to web sites you've been to, blocking ads, stripping flash, turning off client side code functionality entirely, etc.) without fear of what's being harvested or inferred. I don't know what a client's browser does to a dom to make it consumable by the deaf or blind, but if that's something that can be detected by untrusted code then I believe it's another example of violating a user's privacy.
        • Re: (Score:3, Informative)

          by tuomasb (981596)
          Here is a demonstration of the hack using only CSS: http://ha.ckers.org/weird/CSS-history.cgi [ckers.org] You can also use: background: url"(logger.php?site=pornsite.com"); No need for the background to be a real image. This even works if you're using Noscript with Firefox.
      • ...or to regularly delete your browsing history.

        Maybe I belong in the tin-foil hat crowd, but I have my browser set to do this every time I close it.

    • 1) Spear-phishing. When I threw my browser (Chrome) at it, it spit back a list of specific pages at online vendors. From there, you can make some pretty good guesses about things I've bought lately: in this case, a Dell laptop. I wouldn't click on a recall notice from Dell (register for a replacement kit!), but a lot of people would go down that rabbit hole.

      2) Same-password attack. Site A requires login, scrapes list of your recently used sites, then tries the same user/password at B, C, D from your history

    • According to their link it isn't even that good. It showed that I came here and twitter meaning it missed out about 20+ other sites. Considering I didn't do much at all at twitter and I don't who knows I come here, I'm not too worried.
  • Chrome 5 (Score:5, Interesting)

    by binkzz (779594) on Wednesday May 19, 2010 @11:04AM (#32265350) Journal
    Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).

    Firefox, on the other hand, has a potty mouth.
  • by rueger (210566) on Wednesday May 19, 2010 @11:05AM (#32265362) Homepage
    Hey Taco! "Vulnerable" and "Affected by" are not synonyms.
  • by chebucto (992517) on Wednesday May 19, 2010 @11:05AM (#32265368) Homepage

    TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.

  • 94%? (Score:5, Funny)

    by Thanshin (1188877) on Wednesday May 19, 2010 @11:08AM (#32265394)

    In today's news:

    Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.

  • Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?

    Well, there goes my bad boy persona.

    • Re: (Score:1, Offtopic)

      by RJFerret (1279530)

      Nah, it was the collection in your history of Disney.com, gurl.com, Barbie.com, JustinBieberMusic.com, GirlsOnlyForum.com...actually...the gurl.com in there might enhance your "bad girl" persona.

      When you played the barbie dress up game, did you dress her as a rocker chick?

    • Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?

      So much for Anonymous Coward.

  • by Anonymous Coward on Wednesday May 19, 2010 @11:13AM (#32265472)

    According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.

    One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).

    • by darkinnit (710102)
      Is there anyway to implement a similar workaround in Chrome, Opera, Safari and dare I ask... IE?
    • Well that was easy. Thank you.
  • Today is a day, First chrome not hiding you correctly and now all your visited pages are being displayed via ccs:hover. The problem is as we get more "user-friendly" we take short cuts and become lazy, my personal approach to this is to have my most visit websites in my Fav's list and set Firefox Chrome and IE to different roles. For example I use firefox for work (logmein), IE is there for the bad websites that still dont load correctly in other browsers and Chrome for general browsing (threaded tabs for
  • WTF? (Score:1, Redundant)

    by foghorn19 (108432)

    "A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites."

    Vulnerable != affected

  • ...fixes have landed in Firefox and Chrome trunks for this problem. Chrome's should be in the beta branch, or at least the dev branch, not sure about Firefox's. The Bugzilla link confirms Firefox has the fix (not sure which Firefox release Gecko 1.9.3 corresponds to... latest 3.6 mayve?

    Can't test right now since the test site isn't on my company's firewall whitelist...

  • old news (Score:1, Informative)

    by karlzt (1410199)

    this was on LWN a long time ago: http://lwn.net/Articles/350390/ [lwn.net]

  • by RapmasterT (787426) on Wednesday May 19, 2010 @12:31PM (#32266534)
    I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

    that's like calling my garbage being stolen every week when the big truck comes and takes it away.

    Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!
    • Re: (Score:1, Informative)

      by Anonymous Coward

      I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

      that's like calling my garbage being stolen every week when the big truck comes and takes it away.

      Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

      Not only that, it's not actually being "stolen". It's more like it's vulnerable to a game of "Fish". Sites can basically "query" your history looking for particular URLs, and the history will simply say "yes" or "no" to indicate whether a specifically requested URL is in the history.

      So, yes, feel free to not give two shits, just like I do.

    • Do you religiously log out of every authenticated site you visit? What if one passes you through a page that puts your login token in a page URL at any point in time? What if your favorite social networking site, known for sharing your private data, suddenly learned of all the items you've been viewing on Amazon or all the news articles you've been reading?

      What if you're in China and after browsing some sites you weren't supposed to you hit a government site and it pulled your history and that included some

    • Great, now we have to worry about intellectual rights regarding my history. I really do not think someone "stole" my history, they just made a copy of it. Since my history still functions just fine, I do not have a problem with this!

  • Browsers should just drop support for that attribute. As a matter of fact, why have any attributes that rely on generic browsing info. If a website wants to track which links I've visited, then show them to me via redirect and keep a list of which redirect links show up. How important is having a browser visually indicate which links I've visited? visited is just about as important as supporting the blink tag....Wait, blink isn't supported anymore.
    • by amorsen (7485)

      Visited is very useful for mailing list archives. If you try to follow a thread you can keep clicking next and previous and so on, and you can tell by the colour of the link whether you've read it before.

  • anyone wonder if that site is checking our browser history while we read the article? Slashdot.org will be the most popular site according to statistics by the end of the day.
  • Have the history clear it's self ever 2 min, it's what I do on my Box, sure it's annoying to have to log in constantly but on the other hand it's secure.
  • Finally, an explanation as to why my browser history is always empty. It's being stolen by someone! I wonder if I can have it returned.
  • "Affected" gets downgraded to "vulnerable" in the article. Percent of web users "affected?" Let's guess .001%.
  • This page picked up two references to youtube in my history:

    http://www.youtube.com/ [youtube.com]
    http://www.youtube.com/watch?v=sHzdsFiBbFc [youtube.com] (it's the spider on drugs that /. drew to my attention a long time ago)

    If this is a brute-force dictionary attack, then this guy really has too much time on his hands.

Organic chemistry is the chemistry of carbon compounds. Biochemistry is the study of carbon compounds that crawl. -- Mike Adams

Working...